Serious Imgur bug exploited to execute worm-like attack on 8chan users

(credit: John Lodder)

A recently discovered attack on visitors of the 8chan image website went well beyond the venue's usual script-kiddie fare by combining two weaknesses on that property with a potentially catastrophic vulnerability on the wildly popular photo-sharing site Imgur.com.

The result: the browsers of people who viewed certain Imgur-hosted images linked on one or more Reddit sections automatically executed code of the attacker's choice. That malicious JavaScript code in turn reached out to 8chan and exploited two additional but completely separate vulnerabilities on that site. From then on, every time one of these people visited an 8chan page, their browser would report to an attacker-controlled server and await instructions. In the process, the infected browser would bombard 8chan servers with hundreds of additional requests, although some researchers aren't convinced a denial-of-service on 8chan was the objective of the hack.

Worm-like properties

The hack had the potential to take on worm-like properties, in which a handful of viral images could generate an endless stream of traffic, and millions and millions of new infections. It never got to that point, because Imgur fixed the Web-application bug on its site Tuesday morning, while 8chan temporarily blocked the execution of files based on Adobe's Flash media player. With the immediate threat averted, the question security researchers' asked was why a vulnerability so potentially powerful as the one exploited against Imgur squandered on such a limited number of people?

Read 5 remaining paragraphs | Comments